topic Denied ICMP type=0 ... : no matching session in Network Security

Denied ICMP type=0 ... : no matching session

itops — Tue, 12 Mar 2019 06:10:44 GMT

Hi,

I am unable to get a ping response from a host whose gateway address is the ASA and it’s configured on an another VLAN. Note that connect to the host on other protocols i.e. RDP, HTTP, 23 etc.

Topology is something like this.

My desktop is connected to a Layer3 switch and the office has it’s own local internet breakout. All traffic points back to my core switch which has a default gateway of SonicWall. There is a SHDS connecting Office A to Office B where my VMWare stack is. VLAN1 & 2 are spanned over this SHDS and I have hosts sitting on VLAN1&2 at both sites. Site B has an ASA and it also has a local internet breakout which is working fine.

Problem:

HostX at site B is configured on VLAN1 and I have a desktop-HostY at site A on VLAN1 as well. I am able to ping HostX from HostY and I can access all resources like RDP, HTTP, SSH etc.
HostX at site B is configured on VLAN2 and I have a desktop-HostY at site A on VLAN1,3,4,5. I am unable to ping HostX from HostY but I can access all resources like RDP, HTTP, SSH etc.

Note that HostX’s default gateway is the ASA at site B.

Configuration applied so far:

configured tcp-statebypass on VLAN1 and VLAN2 for the whole corporate range i.e. 10.0.0.0/8 to 10.0.0.0/8 tcp-statebypass
Intra traffic between two same security level interfaces is enabled
Enable traffic between two or more hosts connected to the same interface.

Is there any this which i have missed which could be denying icmp requests

Can you try following command

Rishabh Seth — Wed, 24 Jun 2015 19:07:25 GMT

Can you try following command:

# fixup protocol icmp

If it does not help then try applying asp captures and check why ASA is dropping the traffic and share the details.

Command for asp capture:

cap asp-drop type asp-drop all

show cap asp-drop | include <source_ip of host>

remove captures:

no cap asp-drop.

Hope it helps!!!

Hi Risseth, fixup protocol

itops — Thu, 25 Jun 2015 08:52:05 GMT

Hi Risseth,

fixup protocol icmp did not resolve the issue. Capture from ASA below

show cap asp-drop | include 10.0.60.235
43: 09:49:46.336698 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply Drop-reason: (inspect-icmp-seq-num-not-matched) ICMP Inspect seq num not matched
100: 09:49:47.343289 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
161: 09:49:48.343121 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
237: 09:49:49.346997 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
308: 09:49:50.351468 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
381: 09:49:51.351468 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
451: 09:49:52.355648 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
531: 09:49:53.359310 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
600: 09:49:54.362942 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
655: 09:49:55.367794 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
710: 09:49:56.370494 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
779: 09:49:57.372905 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
852: 09:49:58.375255 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
915: 09:49:59.376185 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
988: 09:50:00.380885 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
1060: 09:50:01.382319 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
1139: 09:50:02.383174 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
1222: 09:50:03.397531 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
1295: 09:50:04.388377 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
1359: 09:50:05.392206 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
1430: 09:50:06.395258 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
1504: 09:50:07.396936 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
1563: 09:50:08.399362 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
1638: 09:50:09.401529 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
1705: 09:50:10.407037 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
1778: 09:50:11.412240 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
1842: 09:50:12.411096 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
1882: 09:50:13.009765 802.1Q vlan#1 P0 10.0.60.235.61854 > 10.0.0.254.443: F 292292983:292292983(0) ack 2856598740 win 65535 <nop,nop,timestamp 1175996431 4124391004>
1921: 09:50:13.413018 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
2000: 09:50:14.414742 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
2072: 09:50:15.418816 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
2152: 09:50:16.422768 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
2237: 09:50:17.426186 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
2308: 09:50:18.425881 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
2387: 09:50:19.426216 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
2463: 09:50:20.431236 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
2525: 09:50:21.435890 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
2589: 09:50:22.438804 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
2669: 09:50:23.442314 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
2749: 09:50:24.449958 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply
2819: 09:50:25.449470 802.1Q vlan#2 P0 10.0.2.49 > 10.0.60.235: icmp: echo reply

Hi,inspect-icmp-seq-num-not

Rishabh Seth — Thu, 25 Jun 2015 10:32:28 GMT

Hi,

inspect-icmp-seq-num-not-matched)

From asp drops it is clear that ASA is seeing different sequence number in the reply than the request.

Now you should take captures on the ingress and egress interface to compare the sequence number of the ICMP request and replies.

If the sequence numbers are changing in icmp reply, then you should check why the target machine is sending wrong packets.

You can also try ping test for different source and destination.

Share the details of ICMP captures and also collect multiple output of command with pings flowing in network.

show service-policy | in icmp

Thanks,

R.Seth

Hi. What version of ASA are

Andre Neethling — Thu, 25 Jun 2015 11:02:43 GMT

Hi. What version of ASA are you running?